Spanish election site in security cert warning screwup snafu
Say hola! to hopeless holey homepage hell
Updated Website crypto problems on the Spanish online voting registration website are causing it to generate all manner of security warnings.
Attempts to visit the sede.ine.gob.es site – run by Spain's National Statistics Institute and introduced this year for municipal/regional elections – typically lead to users being confronted with a security warning.
However, the warnings vary depending on the operating system and browser a surfer is using.
Such website problems are sadly common, but the flaws in the Spanish voter registration website are more than normally important, since the site requests that users upload personal information, including copies of passports, ID cards and marriage certificates.
El Reg learnt of the problem from reader Kulvinder Singh, who blogged about the topic.
IT security consultant Paul Moore said that the site's certificate is not self-signed, contrary to Singh's initial conclusion. Moore does agree with Singh that the site is beset with crypto problems, however, as evidenced by the poor rating from SSL Labs. The site scores an F.
Ivan Ristic, a software engineer and founder of SSL Labs, said that the site has been "left without a valid certificate".
"Having a valid certificate is a crucial first step in securing any website, let alone one that is used for voter registration," Ristic told El Reg. He added that a lack of support for modern TLS standards was one of the site's main problems.
Moore backed up Ristic's conclusions: "The CA certificate is the least of their concerns. The CA does not meet the minimum CA inclusion requirements for Mozilla, so it's not in the root certificate store. If you view the site in Chrome/IE (in which this CA is trusted), the site loads fine."
"It's a complete mess, but it certainly highlights the dichotomy between how browsers define 'secure'. Firefox warns you that it's not safe, Chrome & IE literally give the green light," Moore added.
The issuing Certificate Authority (FNMT-RCM) is part of the Microsoft Trusted Root Program, explaining why it is trusted by IE but not other browsers. Other experts said the focus ought be on the site being insecure, rather than the inconsistent warnings this generates.
Ristic concluded: "The certificate warning is a 20-year-old problem that won't be fixed. Instead, websites should be focused on deploying HTTP Strict Transport Security, which fails closed, meaning that when a certificate is invalid you simply can't open the site in question."
We've requested comment from Spain's National Statistics Institute about its website crypto problems and will update this story as and when we hear more.
Spain's regional elections (info here, English language PDF) take place on 24 May. ®
Spain's National Statistics Institute, which runs the election registration site, got back to us on April 17 to say: "We are checking our security systems in order to solve the detected deficiencies."